njrat | a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200

General

Target

a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
Size

450KB
MD5

09ce5265625b19b7da8de9cd3516caa2
SHA1

f7a3ce800949de5eed57cd5d0787a5d8b179ee1f
SHA256

a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200
SHA512

636a4cdda8a6599d50f138440a5277e9f2ad6b3b501d4774f96e6763cf50e67decdeee650d97e6534bb4138885a2455a60079f6974f943a34b766fce8f6d2550

Score

10^/10

njrat hack trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacK

C2

93.181.219.38:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

ddddddddddddddddddddddd.exeNINOCHKA.exe

pid process

1988 ddddddddddddddddddddddd.exe
1524 NINOCHKA.exe

pid	process
1988	ddddddddddddddddddddddd.exe
1524	NINOCHKA.exe

Loads dropped DLL 4 IoCs

Processes:

a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exeddddddddddddddddddddddd.exe

pid	process
2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
1988	ddddddddddddddddddddddd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NINOCHKA.exe

pid process

1524 NINOCHKA.exe

pid	process
1524	NINOCHKA.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

NINOCHKA.exe

description	pid	process
Token: SeDebugPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe
Token: 33	1524	NINOCHKA.exe
Token: SeIncBasePriorityPrivilege	1524	NINOCHKA.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exeddddddddddddddddddddddd.exe

description	pid	process	target process
PID 2040 wrote to memory of 1988	2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe	ddddddddddddddddddddddd.exe
PID 2040 wrote to memory of 1988	2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe	ddddddddddddddddddddddd.exe
PID 2040 wrote to memory of 1988	2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe	ddddddddddddddddddddddd.exe
PID 2040 wrote to memory of 1988	2040	a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe	ddddddddddddddddddddddd.exe
PID 1988 wrote to memory of 1524	1988	ddddddddddddddddddddddd.exe	NINOCHKA.exe
PID 1988 wrote to memory of 1524	1988	ddddddddddddddddddddddd.exe	NINOCHKA.exe
PID 1988 wrote to memory of 1524	1988	ddddddddddddddddddddddd.exe	NINOCHKA.exe
PID 1988 wrote to memory of 1524	1988	ddddddddddddddddddddddd.exe	NINOCHKA.exe

C:\Users\Admin\AppData\Local\Temp\a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
"C:\Users\Admin\AppData\Local\Temp\a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
"C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
\Users\Admin\AppData\Local\Temp\NINOCHKA.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe
Filesize
43KB

MD5
236e1fc09c60c6b43e67b197df93e8ee

SHA1
5922e2d133d58070c7e2f8b48d02b65b3da669ba

SHA256
168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006

SHA512
8dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2

Download Submit
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/1988-61-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/1988-58-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads